Customer due diligence is critical in this era of COVID-19.
Small-business owners aren’t the only ones eager to get their hands on Paycheck Protection Program funds.
From 9/11 to Hurricane Sandy and now, during COVID-19, federal relief funds aimed to help individuals and businesses recover following a disaster become subject to fraud. PPP loans are no exception, yet the nature of these loans makes them particularly susceptible to both fraud and misuse. Bad actors are surfacing, and the financial crimes divisions of community financial institutions are struggling with the realization that some of the loans they rushed through may be fraudulent.
The first federal arrests in connection with PPP fraud were announced in May. As the initial rush to secure PPP loans dies down, financial institutions now face a new set of questions: How do we handle misused, unforgiven and fraudulent loans? Is there a difference? What red flags should credit unions be on the lookout for?
Fraud and Disaster Relief: A Tale as Old as Time
The Department of Justice recently charged two businessmen in Rhode Island with fraudulently seeking PPP loans, the first in the country linked to the loan program. Industry officials warn this case won’t be the last. In fact, they estimate fraud rates could be as high as 10% to 12%—consistent with loan fraud from other disasters.
In the case of the two men in Rhode Island, several red flags pointed to fraud. Their loan requests, according to court documents, were made to pay employees for a business that was not operating at the time of pandemic and had no salaried employees. In one instance, the business was not even owned by one of the borrowers.
“Thankfully, we were able to stop them before taxpayers were defrauded, but today’s arrests should serve as a warning to others that the FBI and our law enforcement partners will aggressively go after bad actors like them who are utilizing the COVID-19 pandemic as an opportunity to commit fraud,” said Joseph Bonavolonta, special agent in charge of the FBI’s Boston Field Office, in the DOJ press release.
Other forms of fraud include identity theft, misrepresentation—such as inflating payroll numbers—and “loan stacking,” which the Office of the Comptroller of Currency defines as an applicant receiving PPP loans from multiple lenders.
Ruth’s Chris Steakhouse, Shake Shack and the Los Angeles Lakers made headlines last month when they, along with other public companies, received PPP loans. In response, the SBA and Treasury provided additional guidance in their FAQ stating businesses must “assess their economic need for a PPP loan” and certify “in good faith” that their request is “necessary.” Furthermore, the FAQ clarifies that the loans were not intended for companies with access to equity in the market. Borrowers that received loans prior to the issuance of the latest FAQ had until May 18, 2020, (extended from May 7 and May 14) to repay the loan in full to avoid “administrative enforcement.”
While U.S. Secretary of the Treasury Steven Mnuchin has pledged to review all PPP loans over $2 million, the SBA has stated that all loans less than $2 million will be deemed to have been made in good faith, according to the lastest FAQ published. This is welcome news for community financial institutions.
Mixed Messages on Due Diligence
The launch of the PPP was met with chaos and confusion. Borrowers were desperately looking to obtain loans through their lenders, and lenders were desperately searching for more information on the program. As the interim final rule states, the intent of the PPP is to provide small business relief “expeditiously.” Time is of the essence for the first-come, first-served program, but it left significantly less time for judicious know your customer and other due diligence. Typical stringent SBA requirements, such as collateral and personal guarantees, are not required for the program to help lenders disburse loans more quickly.
SBA has said that lenders would be held harmless for borrowers’ failure to comply with the criteria laid out for the PPP, but many lenders still fear they will be culpable—at least in certain circumstances. Bankers and credit union leaders still have many questions regarding the steps they should take both to prevent fraud and protect themselves from liability, even as they face pressure to issue loans quickly.
Although PPP loans are guaranteed by the SBA, one thing is certain: If a financial institution does not conduct sufficient due diligence on a PPP borrower and a fraudulent loan is funded, it may have risk exposure and possible financial loss. Due diligence steps that should be taken by banks and credit unions include the following:
- If the loan is being made to an existing customer and the customer identification program information was previously verified, there is no need to re-verify the information.
- New customers should have full customer due diligence performed on a risk-focused approach as outlined in the financial institution’s Bank Secrecy Act policy.
- Extensive due diligence should be conducted on all businesses and principals—if not performed at the time of funding, this should be done as soon as possible.
- Balance the borrower’s anticipated payroll costs with the number of actual employees—plan site visits to verify the number of employees disclosed makes sense.
- PPP loans should be tracked in AML/fraud transaction monitoring software (i.e., using a unique product code or tagging within the system).
- As with all suspicious activity monitoring, thoroughly document all due diligence steps.
Credit unions should follow all suspicious activity report requirements for fraud reporting and be sure to start the 30-day SAR clock as soon as fraud is detected. If a borrower does not comply with the PPP criteria and the loan is not forgiven, an SAR may be warranted for loans that are termed out. Financial crimes units should work closely with the lenders, enhancing training that includes PPP monitoring. It is not too late to perform CDD and transaction monitoring of these businesses. Regulators will expect it.